Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Mobile & Wireless

Ring Doorbell App for Android Sends Out Loads of User Data

The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.

The Ring doorbell application for Android contains third-party trackers and sends out a large amount of personally identifiable information (PII), the Electronic Frontier Foundation (EFF) has discovered.

The Ring app, the EFF says, sends user data to four main analytics and marketing companies, namely branch.io, mixpanel.com, appsflyer.com and facebook.com. Siphoned data includes names, IP addresses, network carriers, persistent identifiers, and sensor data.

Facebook is alerted when the app is opened, as well as when it is deactivated after the screen is locked, via the Graph API. Furthermore, data is sent to the social platform even if the user does not have an account, the EFF has discovered.

Information sent to Facebook includes time zone, device model, language preferences, screen resolution, and a unique identifier (anon_id). This identifier would persists even when the OS-level advertiser ID is reset.

To ‘deep’ linking platform Branch, Ring sends several unique identifiers (device_fingerprint_id, hardware_id, identity_id), along with the device’s local IP address, model, screen resolution, and DPI.

Information that big data company AppsFlyer is provided upon app launch includes mobile carrier, Ring installation date, unique identifiers, whether AppsFlyer tracking came preinstalled on the device, installed sensors (magnetometer, gyroscope, and accelerometer) and current calibration settings.

Business analytics service MixPanel receives the most information: “users’ full names, email addresses, device information such as OS version and model, whether Bluetooth is enabled, and app settings such as the number of locations a user has Ring devices installed in,” the EFF explains.

While MixPanel is mentioned in Ring’s list of third party services, none of the other trackers is. The extent of the data collection is not revealed either.

Google-owned crash logging service Crashalytics also receives information from Ring, but the EFF has yet to determine the exact extent of data sharing.

The app uses encrypted HTTPS to send the data in such a manner that eludes analysis, the foundation says.

The amount of data shared with third-parties, EFF notes, is alarming, as it allows these companies to easily track users across applications.

“Ring claims to prioritize the security and privacy of its customers, yet time and again we’ve seen these claims not only fall short, but harm the customers and community members who engage with Ring’s surveillance system,” EFF concludes.

Following security and privacy-related complaints, Amazon-owned Ring announced earlier this month that its iOS and Android applications will soon include a new Control Center from where users can manage privacy and security features and settings. The Control Center makes it easier for users to enable two-factor authentication, see who is logged into an account and log them out, review third-party service connections, and prevent local police departments from accessing footage from Ring cameras.

Related: Google Says it Will Phase Out Web-Tracking ‘Cookies’

Related: Users Need to Consent to Online Tracking Cookies: EU Court

Related: European Government Websites Are Delivering Tracking Cookies to Visitors

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cybercrime

The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Ransomware

The Hive ransomware website has been seized as part of an operation that involved law enforcement in 10 countries.

Ransomware

US government reminds the public that a reward of up to $10 million is offered for information on cybercriminals, including members of the Hive...

Mobile & Wireless

South Dakota Gov. Kristi Noem says her personal cell phone was hacked and linked it to the release of documents by the January 6...